AWS

How to configure S3 bucket permissions on AWS

S3 (simple storage service) is the storage service provided by AWS and stores data in S3 buckets. By default, all the S3 buckets are private and can not be accessed publicly over the internet. Only the AWS user with specific permissions can access the objects inside the bucket. Also, the public access on the S3 bucket objects can be enabled, and the object becomes available to all public internet.

There are two types of permissions in an S3 bucket.

  • User-based
  • Resource-based

For user-based permissions, an IAM policy is created which defines the access level of an IAM user to the S3 buckets and its objects and is attached to the IAM user. Now the IAM user only has access to the specific objects defined in the IAM policy.

Resource-based permissions are the permissions assigned to the S3 resources. Using these permissions, we can define whether this S3 object can be accessed across multiple S3 accounts or not. There are the following types of S3 resource-based policies.

  • Bucket policies
  • Access control list

This article describes the detailed instructions to configure the S3 bucket using the AWS management console.

User-based permissions

User-based permissions are the permissions assigned to the IAM user, which define whether the IAM user has access to some specific S3 objects or not. For this purpose, an IAM policy is written and attached to the IAM user.

This section will write an inline IAM policy to grant specific permissions to the IAM user. First, log into the AWS management console and go to the IAM service.

The IAM policy is attached to either a user or a user group in IAM. If you want to apply the IAM policy to multiple users, then add all the users into a group and attach the IAM policy to the group.

For this demo, we will attach the IAM policy to a single user. From the IAM console, click on the users from the left side panel.

Now from the list of users, click on the user you want to attach the IAM policy.

Select the Permissions tab and click on the add inline policy button at the right side of the tab.

You can now create the IAM policy using either the visual editor or writing a json. We will use the visual editor to write the IAM policy for this demo.

We will select the service, actions, and resources from the visual editor. Service is the AWS service for which we will write the policy. For this demo, S3 is the service.

The actions define the allowed or denied actions that can be performed on S3. Like we can add an action ListBucket on S3, which will enable the IAM user to list S3 buckets. For this demo, we will grant only List and Read permissions.

Resources define which S3 resources will be affected by this IAM policy. If we select a specific S3 resource, this policy will be applicable to only that resource. For this demo, we will select all the resources.

After selecting the service, action, and resource, now click on the JSON tab, and it will display an extended json defining all the permissions. Change the Effect from Allow to Deny to deny the specified actions to the specified resources in the policy.

Now click on the review policy button at the bottom right corner of the console. It will ask for the name of the IAM policy. Enter the policy name and click on the create policy button to add inline policy to the existing user.

Now the IAM user can not perform the actions specified in the IAM policy on all the S3 resources. Whenever the IAM tries to perform a denied action, It will get the following error on the Console.

Resource-based permissions

Unlike IAM policies, resource-based permissions are applied to the S3 resources like buckets and objects. This section will see how to configure resource-based permissions on the S3 bucket.

Bucket policies

S3 bucket policies are used to grant permissions to the S3 bucket and its objects. Only the bucket owner can create and configure the bucket policy. The permissions applied by the bucket policy affect all the objects inside the S3 bucket except for those objects owned by other AWS accounts.

By default, when an object from another AWS account is uploaded to your S3 bucket, it is owned by its AWS account (object writer). That AWS account (object writer) has access to this object and can grant permissions using ACLs.

S3 bucket policies are written in JSON, and permissions can be added or denied for the objects of S3 buckets using these policies. This section will write a demo S3 bucket policy and attach it to the S3 bucket.

First, go to S3 from the AWS management console.

Go to the S3 bucket you want to apply the bucket policy.

Go to the permissions tab in the S3 bucket.

Scroll down to the Bucket policy section and click on the edit button on the top right corner of the section to add bucket policy.

Now add the following bucket policy to the S3 bucket. This sample bucket policy will block every action on the S3 bucket even if you have an IAM policy that grants access to S3 attached to the user. In the Resource field of the policy, replace the BUCKET-NAME with your S3 bucket name before attaching it to the S3 bucket.

In order to write a custom S3 bucket policy, visit the AWS policy generator from the following URL.

https://awspolicygen.s3.amazonaws.com/policygen.html

{

"Version": "2012-10-17",

"Id": "Policy-1",

"Statement": [

{

"Sid": "policy to block all access on S3",

"Effect": "Deny",

"Principal": "*",

"Action": "s3:*",

"Resource": "arn:aws:s3:::<strong>BUCKET-NAME</strong>/*"

}

]

}

After attaching the S3 bucket policy, now try to upload a file into the S3 bucket, and it will throw the following error.

Access control lists

Amazon S3 access control lists manage access at S3 bucket and S3 object levels. Each S3 bucket and object has an access control list associated with it, and whenever a request is received, S3 checks its access control list and decides whether the permission will be granted or not.

This section will configure the S3 access control list to make the S3 bucket public so that everyone in the world can access the objects stored in the bucket.

NOTE: Please be sure not to have any secret data in the bucket before following this section as we will make our S3 bucket public, and your data will be exposed to the public internet.

First, go to the S3 service from the AWS management console and select the bucket you want to configure the access control list for. Before configuring the access control list, first, configure the bucket public access to allow the public access on the bucket.

In the S3 bucket, go to the permissions tab.

Scroll down to the Block public access section in the permissions tab and click on the edit button.

It will open different options to block access granted through different policies. Uncheck the boxes blocking the access granted by the access control list and click on the save changes button.

From the S3 bucket, click on the object you want to make public and go to the permissions tab.

Click on the edit button on the right corner of the permissions tab and check the boxes allowing access to anyone to the object.

Click on the save changes to apply the access control list, and now the S3 object is accessible to anyone over the internet. Go to the properties tab of the S3 object (not the S3 bucket) and copy the S3 object URL.

Open the URL in the browser, and it will open the file in the browser.

Conclusion

AWS S3 can be used to put data that can be accessible over the internet. But at the same time, there may be some data you do not want to expose to the world. AWS S3 provides a low-level configuration that can be used to allow or block access at the object level. You can configure S3 bucket permissions in such a way that some objects in the bucket may be public, and some may be private at the same time. This article gives essential guidance to configure S3 bucket permissions using the AWS management console.

About the author

Zain Abideen

A DevOps Engineer with expertise in provisioning and managing servers on AWS and Software delivery lifecycle (SDLC) automation. I'm from Gujranwala, Pakistan and currently working as a DevOps engineer.